Our Products

Home / Blog / How do you implement honeypots in your organization to target malware?

How do you implement honeypots in your organization to target malware?

Posted by Geraldine Hunt on Thu, Oct 15th, 2015

In a previous article, we gave an overview of honeypots. Here we continue the discussion, with more detailed information concerning practical implementation. Remember that a honeypot is a highly flexible tool with many different applications to security. There are versions available that specifically target malware, web services, SCADA/ICS, and other services.

Determining the proper level of interaction

There are systems with different levels of interaction. Interaction measures the activity a honeypot implementation allows the attacker. The more interaction is permitted, the more you can learn about the hacker and his intentions. However, more interaction involves more complexity in implementation and maintenance. It also increases the risk of a hacker breaking out of the honeypot container and attacking the real production systems.

A high-interaction honeypot runs an actual operating system (or systems) while a low-interaction honeypot uses emulation. Most commercial or open-source honeypot systems consist of a menu of “designer” honeypots to choose from.

Types of Honeypot Packages

The easiest approach by far is to implement a package. There are a large number available commercially (or for free!) that serve an array of needs, such as the following:

Kippo - A medium-interaction honeypot that allows you to present a pretty convincing SSH server complete with file system. Kippo records and even allows for replay of the attack.

Glastopf - A low-interaction honeypot that emulates known web vulnerabilities such as SQL injection.

Honeyd - A low-interaction honeypot that simulates multiple services and hosts on a single machine via virtualization. As a result, it presents a more convincing environment to hackers. It is based on Linux/Unix but can emulate various operating systems and services. This is important because each operating system differs in its response to messages. Since Honeyd emulates operating systems at the TCP/IP stack level, it can fool even sophistic network analysis tools such as nmap. When an attack occurs, Honeyd can passively attempt to identify the remote host. The honeyd website also provides a series of useful “Know Your Enemy” papers.

Thug - A client-side honeypot (honeyclient) that emulates a web browser. It is designed to automatically interact with the malicious website to explore its exploits and malicious artifacts, often in the form of JavaScript.

Ghost USB. - This mounts as a “ghost” USB drive to serve as a honeypot for malware that uses USB drives to replicate.

Comprehensive Honeypot Packages

The honeypots such as those mentioned above are often bundled together, along with unified reporting capabilities. These include:

HoneyDrive - This Linux distribution is a virtual appliance (OVA) with Xubuntu. It provides more than 10 pre-installed and pre-configured honeypot software packages, as well as analysis and monitoring tools.MHN(Modern Honeypot Network) - This open source project uses a Mongo database and provides extensive tools.KFSensor, - This is an extensive Windows-based honeypot system. This is a professional-grade system with a high price tag, but its flexibility cannot be beat.

Building your own honeypot system

You would spend much time installing and tuning software to match the capabilities of such comprehensive packages as KFSensor, MHN, and HoneyDrive. If that is your idea of fun, here are some considerations (https://www.sans.org/security-resources/idfaq/honeypot3.php ):

Log all packets going to and from the honeypot system. Consider that there is no legitimate reason for any such traffic.

Use a protocol analyzer such as Wireshark to analyze the attacks. You will want to focus on the packets transiting between the firewall and the honeypot. Be warned that this requires a large amount of disk space. Use the filtering capabilities of the protocol analyzer to minimize capture size. Keep the intruder packets’ order, sequence, time stamps, and packet type since these are important clues to the intruder’s intentions.

For a Linux system, make sure that you includes syslogd so that you can log onto a remote server.

Utilize the firewall’s notification capabilities to send you alerts when traffic occurs to or from your honeypot.

Honeypot Detection by Attackers

Attackers have their own countermeasures against honeypots. Be aware that attackers swap information about known honeypots. The good news is that, as we mentioned, there are many systems in use. This makes it more difficult for attackers to look for a single signature betraying the existence of a honeypot. Some experts believe that each honeypot should have a “deception port”, an open port that allows attackers to detect the honeypot. Supposedly this convinces attackers that they are dealing with a sophisticated adversary, and would deter them from pursuing their attacks.

Operating systems and software have been installed using the defaults.

File and folder names are too obviously attractive, for example, a file called "social security numbers".

There is very little software installed.

Still Want to Install Honeypots?

Before you initiate your honeypot you must also consider the legal implications. The main legal issues to consider when it comes to honeypots are: entrapment and privacy. This and the previous honeypot article provided a short overview of honeypots . To create and/or install a system, you will need more detailed information and a person or team with technical expertise.